Defence-related research action (DEFRA)

2024 – 2028

1.8 M€

Théo Engels

Ken Hasselmann

Enhancing Cybersecurity in Defence Robotics by Advancing Memory-Safe Robotics

The FOundations for Reliable, CorrEct, and Secure robotic systems (FORCES) project tackles a critical challenge in modern cybersecurity: ensuring the safety and resilience of robotic systems against cyber threats. By leveraging the power of memory-safe programming languages, specifically Rust, FORCES aims to transform the way robotic systems are designed and secured for defence applications.

Why Memory Safety Matters

Robotic systems play an essential role in high-stakes defence operations, from surveillance and reconnaissance to demining and payload delivery. However, many of these systems rely on legacy codebases written in C and C++, which allow direct memory manipulation—a leading cause of severe security vulnerabilities. Historical incidents, such as the Heartbleed bug and the BLASTPASS vulnerability, have underscored the risks posed by unsafe memory practices.

In response, the FORCES project addresses these vulnerabilities by pioneering a transition to Rust, a memory-safe programming language that prevents out-of-bounds errors and use-after-free bugs. By prioritizing memory safety, FORCES supports the resilience and security of robotic systems critical to defence.

Objectives of the FORCES Project

FORCES sets out to achieve three key objectives:

1. Developing a Robust Transpilation Tool: This innovative tool will automatically convert legacy C/C++ code into Rust, enhancing memory safety while maintaining performance.

2. Creating a Comprehensive Evaluation Framework: This framework will define metrics for correctness, security, performance, and maintainability, ensuring the automated transpilation process meets rigorous standards.

3. Demonstrating Practical Applicability: The methodology will be validated across various defence-related robotic use cases, proving the effectiveness of the approach in real-world scenarios.

Expected Impact

By significantly reducing the attack surface of cyber-physical systems, FORCES will enhance the overall security of defence robotics. The adoption of Rust not only mitigates memory-related vulnerabilities but also fosters a culture of secure programming within the defence sector. These advancements will ensure greater resilience against cyber threats and improve trust in the systems produced by defence research institutions.

Project Execution

The FORCES project will unfold over three phases:

1. Research Phase (Year 1): Focused on developing the transpilation methodology and defining evaluation metrics.

2. Prototype Development (Year 2): Culminating in a TRL4 prototype, this phase will demonstrate the viability of the transpilation tool on selected defence robotic use cases.

3. Refinement and Expansion Phase (Years 3-4): Aiming for TRL5, this phase will enhance the tool’s maturity and expand its application to a broader range of defence scenarios.

A Collaborative Effort

The FORCES project is a collaboration between three key partners:

• Vrije Universiteit Brussel (VUB): A leader in software engineering research, VUB will develop the transpilation methodology and define performance metrics.

• Royal Military Academy (RMA): With extensive experience in defence systems and robotics, RMA will provide realistic use cases for validation and contribute to refining the tools and metrics.

• Thales Belgium (TBE): As an industry leader in cybersecurity, TBE will define maintainability and security metrics to ensure the highest standards of security for the transpiled code.

Shaping the Future of Defence Robotics

Through state-of-the-art technologies and methodologies, including static analysis, automated testing, and performance evaluation, FORCES will establish new benchmarks for secure programming and resilient robotic systems in defence. The project’s outcomes will not only address current vulnerabilities but also lay the groundwork for a more secure future in cyber-physical systems.

2025

• R. De Greef, A. Discepoli, E. Aguililla Klein, T. Engels, K. Hasselmann, and A. Paolillo, “Towards Macro-Aware C-to-Rust Transpilation (WIP)," in Proceedings of the 26th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems, New York, NY, USA, 2025, p. 57–61.
  [BibTeX] [Abstract] [Download PDF] [DOI]
  

  The automatic translation of legacy C code to Rust presents significant challenges, particularly in handling preprocessor macros. C macros introduce metaprogramming constructs that operate at the text level, outside of C’s syntax tree, making their direct translation to Rust non-trivial. Existing transpilers –- source-to-source compilers –- expand macros before translation, sacrificing their abstraction and reducing code maintainability. In this work, we introduce Oxidize, a macro-aware C-to-Rust transpilation framework that preserves macro semantics by translating C macros into Rust-compatible constructs while selectively expanding only those that interfere with Rust’s stricter semantics. We evaluate our techniques on a small-scale study of real-world macros and find that the majority can be safely and idiomatically transpiled without full expansion.

  @inproceedings{10.1145/3735452.3735535,
  author = {De Greef, Robbe and Discepoli, Attilio and Aguililla Klein, Esteban and Engels, Th'{e}o and Hasselmann, Ken and Paolillo, Antonio},
  title = {Towards Macro-Aware C-to-Rust Transpilation (WIP)},
  year = {2025},
  isbn = {9798400719219},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3735452.3735535},
  doi = {10.1145/3735452.3735535},
  abstract = {The automatic translation of legacy C code to Rust presents significant challenges, particularly in handling preprocessor macros. C macros introduce metaprogramming constructs that operate at the text level, outside of C's syntax tree, making their direct translation to Rust non-trivial. Existing transpilers --- source-to-source compilers --- expand macros before translation, sacrificing their abstraction and reducing code maintainability. In this work, we introduce Oxidize, a macro-aware C-to-Rust transpilation framework that preserves macro semantics by translating C macros into Rust-compatible constructs while selectively expanding only those that interfere with Rust's stricter semantics. We evaluate our techniques on a small-scale study of real-world macros and find that the majority can be safely and idiomatically transpiled without full expansion.},
  booktitle = {Proceedings of the 26th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems},
  pages = {57–61},
  numpages = {5},
  keywords = {Abstract Syntax Tree, C, Embedded, Macros, Metaprogramming, Preprocessor, Rust, Transpilation},
  location = {Seoul, Republic of Korea},
  unit= {meca-ras},
  project= {FORCES},
  series = {LCTES '25}
  }

• T. Engels, A. Discepoli, R. De Greef, E. Aguililla Klein, F. D’Agostino, R. Gunsett, J. Pisane, K. Hasselmann, and A. Paolillo, “FORCES: An Incremental Transpiler from C/C++ to Rust for Robust and Secure Robotics Systems," in Workshop on Rust for Robotics: Building Robust Foundations for Tomorrow’s Autonomous Systems, IEEE International Conference on Robotics and Automation (ICRA), 2025.
  [BibTeX]

  @inproceedings{engels2025forces, author = {Engels, Th{'e}o and Discepoli, Attilio and De Greef, Robbe and Aguililla Klein, Esteban and D'Agostino, Francesco and Gunsett, Remi and Pisane, Jonathan and Hasselmann, Ken and Paolillo, Antonio}, title = {{FORCES}: An Incremental Transpiler from {C/C++} to {Rust} for Robust and Secure Robotics Systems}, booktitle = {Workshop on Rust for Robotics: Building Robust Foundations for Tomorrow’s Autonomous Systems, IEEE International Conference on Robotics and Automation (ICRA)}, year = {2025}, unit= {meca-ras},  project= {FORCES}, note = {Workshop Paper} }